Confirm Email Does not stop login

[bseufert]

Thanks for the great work. Not sure of the value of the "ConfirmEmail" if login is still permitted without having confirmed the email. Is there something I'v missed?

[Konstantinos-Val]

To my understanding it is the responsibility of the back-end to provide the right message or error stating that the account has not been yet confirmed and prevent from returning an authentication-token. For example if you look at the MVC5-SPA-Angular Demo that uses asp.net Web api you can add this code and in the ApplicationOAuthProvider class:

public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) { var userManager = context.OwinContext.GetUserManager();

        User user = await userManager.FindAsync(context.UserName, context.Password);

        if (user == null) {
            context.SetError("invalid_grant", "The user name or password is incorrect.");
            return;
        }

        if (!userManager.IsEmailConfirmed(user.Id))
        {
            context.SetError("uncomfirmed_account", "The user's account has not been activated.");
            return;
        }

.... rest of the code ommited...

This way your back-end will not Login users that have not confirmed their email address.

[JustMaier]

Exactly right @Developer-Kostas, let me know if you need any more clarification on this.